A pre-ticked box in web forms should NOT mean consent - EU report

Businesses will not be able to use pre-ticked boxes to gain user consent for the processing of their data under changes proposed by the European Parliament to new EU data protection laws.

In a new report, Jan-Philipp Albrecht, a rapporteur for the European Parliament's Civil Liberties, Justice and Home Affairs Committee on the proposed EU data protection reforms, said that consumers should not have to opt out from automatic settings in order to avoid businesses deeming that they have given consent to their personal data being processed.

Albrecht's report contains proposed amendments to the draft General Data Protection Regulation the European Commission published in January 2012. Under the Commission's proposed regime, organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".

Albrecht has now said (215-page/751KB PDF) that freely given consent would generally not be said to have been obtained if the consent is gleaned from "pre-ticked boxes" companies often use in consumer agreements.

"In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment," Albrecht said. "The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent."

Organisations seeking to rely on consent should have the burden of proving that they have obtained the permissions from consumers, but under Albrecht's plans would not have to seek confirmation of data subjects' by way of a "positive identification ... unless necessary" in order to be said to have sufficient proof of consent.

Companies that hold a dominant position in a particular market would also face more stringent rules on consent if Albrecht's proposals are adopted. Under the Commission's plans consent could not be relied upon by firms if there was a "clear imbalance" of rights in their favour that disadvantaged consumers. Albrecht has expanded on this concept and suggested that dominant market players could not make "unilateral and nonessential" changes to contractual terms if consumers have "no option other than to accept the change or abandon an online resource in which they have invested significant time".

Albrecht has also proposed new rules that would allow companies to rely on "automated means using a technical standard" to obtain individuals' consent to the processing of pseudonymised data. However, the standard through which that consent could be gleaned would have to be approved by the European Commission.

Albrecht said that this would incentivise the processing of pseudonymised information and allow for standards such as 'do not track' (DNT) to be used. The World Wide Web Consortium (W3C), which is responsible for ensuring that web technology is based on an agreed set of technical standards, has been working on developing a new DNT controls system for operation within web browser settings.

The rapporteur has also set out what should be meant be 'anonymised' data, which he said would be fully outside the scope of the data protection law framework.

"[Anonymised data is] data that can not be related, directly or indirectly, alone or in combination with associated data, to a natural person or where establishing such a relation would require a disproportionate amount of time, expense, and effort, taking into account the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed," Albrecht has proposed.

Organisations can legitimately process personal data without obtaining individuals' consent under certain circumstances, including if the "legitimate interests" of the organisations outweigh the fundamental rights of the individuals concerned. However, Albrecht has proposed that companies should only be able to rely on the 'legitimate interests' provisions in "exceptional circumstances".

Albrecht's report also contains proposed amendments that provide guidance on when organisations' 'legitimate interests' could be said to outweigh individuals' rights, and vice versa.

Under the Commission's draft Regulation, businesses would be required to notify any regulators of any data breach "without undue delay and, where feasible, within 24 hours" of having become aware of it. However, Albrecht has said it is "not always feasible" for companies to meet this deadline, and has proposed extending the reporting requirement to within 72 hours. Individuals should only be notified in cases where the breach is "likely to adversely affect the protection of [their] personal data or privacy ... for example in cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage to reputation".

The ability of the European Commission to lay out some detail on the meaning and interpretation of some of the rules under the proposed new Regulation would be tempered if Albrecht's proposals were adopted. The Commission would have to consult with supervisory privacy body the European Data Protection Board over the 'delegated acts' it would want to introduce.

The report has also recommended that data controllers or processors provide “financial indemnification” to individuals for any data breaches that occur from international data transfers to non-approved 'third' countries. In addition, the individuals should be provided with full details” of the access rights public authorities in those countries have to their personal data, Albrecht has proposed.